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Examiner Art Unit 
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-- The MAILING DATE of this communication appears on the cover sheet with the correspondence address - 
Period for Reply 

A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days wilt be considered timely. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S. C. § 1 33). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1 )□ Responsive to communication(s) filed on . 

2a)n This action is FINAL. 2b)S This action is non-final. 

3) 0 Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 1 1 , 453 O.G. 213. 

Disposition of Claims 

4) ^ Claim(s) 1-22 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) 0 Claim(s) is/are allowed. 

6) [S1 Claim(s) 1-22 is/are rejected. 
?)□ Claim(s) is/are objected to. 

8) n Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) n The specification is objected to by the Examiner. 

10)0 The drawing(s) filed on is/are: a)n accepted or b)n objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1 .85(a), 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1 .121 (d), 

1 1 )□ The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-1 52, 

Priority under 35 U.S.C. § 119 

12)n Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 1 19(a)-(d) or (f). 
a)n All b)n Some * c)^ None of: 

1 .□ Certified copies of the priority documents have been received. 

2. n Certified copies of the priority documents have been received in Application No. . 

3. n Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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Claim Rejections - 35 USC § 103 


The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 


obviousness rejections set forth in this Office action: 


(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 


2. Claims 1,3,5-6, 11, 13, 15, 17, 19, 21-22 are sill rejected under 35 U.S.C. 103(a) as 
being unpatentable over (Messmer and Newton's Telecom Dictionary) in further view of 
Livermore. 

3. As per claims above, Messmer teaches outsourcing intrusion detection. Messmer also 
teaches that Counterpane manages intrusion-detection services, by having a black box that is 
located on a companies network. Thus, the Examiner asserts that by having the black box sensor 
that is located on the network, this constitutes a security subsystem, because the security 
subsystem continuously monitors and collects data and transmits the information to 
Counterpane's data center(i.e. Master system). Also, because the Applicant provides no specific 
definition of a master system, the Examiner broadly interprets a master system to be any system 
that is analyzes information from the subsystem, because Messmer teaches that all data from 
customer's network is transmitted to the Master system(i.e. Counterpane's data center). Further, 
Messmer teaches that the subsystem(i.e. black box) without human control is configured to 
correlate events across a plurality of devices associated with the network of computers and detect 
attacks on the computer, because Messmer teaches that a probe or "black box sensor" is put on 
the customer's network(i.e. target network) to accept audit data from a wide range of devices. 
Further, Messmer teaches that the black box sensor captures syslog and audit outputs from 
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Windows NT, Solaris, Linux servers; firewalls; ISS and intrusion detection software. Further, 
master system(i.e. Counterpane's data center) registers information pertaining to attacks detected 
by the security subsystem(i.e. black box), because Messmer teaches that the black box regularly 
transmits the network activity output to the master system(i.e. data centers). Furthermore, 
Messmer teaches that the data that is transmitted to the master system(i.e. data center) are 
footprints of attacks, and the data center has analysts that are trained to understand them. Thus, 
the Examiner asserts that the data that is transmitted is outputted to the master system(i.e. data 
center), and registered so the information can be analyzed by the analysts. Lastly, Messmer 
teaches that the security subsystem(i.e. black box) and the master system(i.e. Counterpane's data 
center) communicates by using encryption, because Messmer teaches that the Counterpane's 
black box regularly transmits the network activity output in encrypted form to Counterpane's 
data center(i.e. master system). 

4. The Examiner asserts that since the Applicant does not provide a definition of a secure 
link(i.e. channel). The Examiner looks towards Newton's Telecom Dictionary. According to 
Newton's Telecom Dictionary, a secure channel(i.e. link) is defined as technology that provides 
privacy, integrity, and authentication in point-to-point communication(see pg. 636). Thus, the 
Examiner asserts that the encryption taught in Messmer is a secure channel, because encrypting 
insures that information is protected from unauthorized viewing or use; therefore, insuring 
privacy, and integrity is maintained because if information is private the information cannot be 
manipulated, and authentication because in encryption in order to decode the information one 
must have the corresponding key to decode. Thus, the motivation to have an encrypted 
channel(i.e. link) is that the information that is sent between the two points of security subsystem 


Application/Control Number: 09/770,525 Page 4 

Aft Unit: 2131 

and the master system is kept private and integrity is kept, and both parties can be authenticated, 
and thus prevents intruders or unauthorized users from manipulating information. 
5. Further, Messmer nor Newton's Telecom Dictionary disclose a master system that 
automatically with human control. However, Livermore teaches automated response to 
intrusions. It would have been obvious to one of ordinary skill in the art at the time of the 
invention to be motivated to include automated response in Messmer and Newton's Telecom 
Dictionary, the motivation is that automated response is more efficient and provides faster 
response time than human capacity, because a response can be within a millisecond(see pg. 20). 
Further, Livermore also teaches that people have moved toward automation for real-time 
intrusion because malicious attackers now commonly use automation in their attacks(see pg, 4) 

5. As per independent claims 11, 21-22, and also dependent claims 3, 6, 15, 19, limitations 
have already been addressed see claim 1 above. Also, claims 11, 21-22, 3, 6, 15, 19 include a 
master system hierarchically independent from the security subsystem. The Examiner asserts 
that Messmer discloses this because Messmer teaches that the master system(i.e. data center) is 
located in California or Virginia and that all data located on customer's network is transmitted to 
the master system. Also, the master system monitors the security subsystem around the clock, 
and the master system and Messmer also teaches that the master system is an outsourced 
intrusion detection. Thus, the Examiner asserts that the Master system is hierarchically 
independent from the security subsystem. 

6. As per claims 4, 7, Messmer teaches that a security subsystem is hierarchically 
subordinate to the master system, because Messmer teaches that the customer's network has a 
black box sensor that correlates all the information from devices on the customer's network(see 
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claim 1, above), and this information is transferred to the Master system. Further, the master 
system(i.e. data center) of Messmer tells customers how to handle intrusions. Therefore, the 
Examiner asserts that the security subsystem is subordinate to the master system. 

7. As per claims 14, 18, Messmer teaches that the detection means(i.e. black box sensor) is 
one or more selected from the group consisting of an intrusion detection system, firewall and 
security subsystem. The Examiner asserts that Messmer meets this limitation, because the black 
box sensor detects attack on the network. 

Claim Rejections - 35 USC § 103 

8. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

9. Claims 2, 8, 12, 16, 20 are still rejected under 35 U.S.C. 103(a) as being unpatentable 
over Messmer and Newton's Telecom Dictionary, Livermore, in view of Kurtzberg et al. and 
further in view of Hill et al. 

10. As per the claims above, Messmer and Livermore are silent on how the data center test 
for vulnerabilities. However, Kurtzberg et al. discloses testing a system by having a psuedo(i.e. 
simulated) attack generator for generating attacks on the computer(see col. 3, lines 21-28). 
Although, Messmer does not explicitly disclose comparing pseudo-attack to the attacks detected 
by the security subsystem, the Examiner looks towards Hill et al. for this feature. Hill et al. 
discloses comparing pseudo-attacks(i.e. training attacks) to the attacks detected by the security 
system(see col. 3, lines 20-36). 
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11. It would have been obvious to modify Messmer and Newton's Telecom Dictionary, and 
Livermore with the features of Kurtzberg et al. and Hill et al. The Messmer and Newton 
Dictionary, and Livermore, do not teach how the testing is done. Therefore, the Examiner looks 
towards Kurtzberg et al. and Hill et al. to include the features of pseudo attack generator and 
comparing the psuedo attacks to attacks detected by the system. Thus, the motivation to include 
how the testing is performed of Kurtzberg and Hill et al. with Messmer and Newton's Telecom 
Dictionary, and Livermore, combination includes the data center testing for vulnerabilities of the 
security subsystem by using the pseudo attack generator, and comparing the pseudo attacks to 
attacks detected by the system. This method of testing insures that integrity is maintained by 
testing the security subsystem thereby protecting the network form unauthorized penetrations 
(see col. 1, lines 35-40 of Kurtzberg et al.). Thus, integrity of a computer system can be tested 
reUably to improve or complement the system performance(see col. 1, lines 65-67 of Kurtzberg). 

12. Claim 9 is rejected under 35 U.S.C. 103(a) as being unpatentable over Messmer and 
Newton Telecom Dictionary, Livermore, Kurtzberg and further in view of Hill as applied to 
claim 8 above. 

13. As per claim 9, the Examiner asserts that Messmer discloses this because Messmer 
teaches that the master system(i.e. data center) is located in Califomia or Virginia and that all 
data located on customer's network is transmitted to the master system. Also, the master system 
monitors the security subsystem around the clock, and the master system and Messmer also 
teaches that the master system is an outsourced intrusion detection. Thus, the Examiner asserts 
that the Master system is hierarchically independent from the security subsystem. 
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14. Claim 10 is rejected under 35 U.S.C. 103(a) as being unpatentable over Messmer and 
Newton Telecom Dictionary, and Livermore, Kurtzberg and further in view of Hill as applied to 
claim 8 above. 

15. As per claim 10, Messmer teaches that a security subsystem is hierarchically subordinate 
to the master system, because Messmer teaches that the customer's network has a black box 
sensor that correlates all the information from devices on the customer's network(see claim 1, 
above), and this information is transferred to the Master system. Further, the master system(i.e. 
data center) of Messmer tells customers how to handle intrusions. Therefore, the Examiner 
asserts that the security subsystem is subordinate to the master system. 

Response To Amendment 

16. The Applicant states that Messmer teaches that the black box only captures the security- 
related data and passes it onto the center. Further, the Applicant states that the black box does 
not automatically and without human control correlate events recorded in the syslog, audit 
outputs or in any other network activity output. The Examiner disagrees with the Applicant. 
Messmer teaches that the black box sensor captures syslog and audit outputs from Windows NT, 
Solaris, Linux servers; firewalls; ISS and intrusion detection software. Messmer does not teach 
human control with analyzing the data from the black box sensor; therefore, the black box sensor 
meets the claims limitation (see above), that claims the security subsystem.... with human 
control. The information from the black box sensor is transmitted to a data center for analysts by 
human analysts. Thus, the new limitation of without human control. ... of a master system is not 
taught in Messmer. 
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Conclusion 


Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Jenise E Jackson whose telephone number is (703) 306-0426. 
The examiner can normally be reached on M-Th (6:00 a.m. - 3:30 p.m.) alternate Fridays. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on (703) 305-9648. The fax phone numbers for the 
organization where this application or proceeding is assigned are (703) 305-0040 for regular 
commimications and (703) 308-6306 for After Final communications. 

Any inquiry of a general nature or relating to the status of this application or proceeding 
should be directed to the receptionist whose telephone number is (703) 305-3900. 




